[Snort-users] Snort as a host-based IDS

Saad Kadhi bsdguy at ...1472...
Sun Oct 14 22:47:04 EDT 2001


On Wed, 2001-10-10 at 17:05, Kevin Brown wrote:
> On a machine that slow you would get better performance running Linux or BSD
> instead of Win2k for snort/php/acid/apache and have fewer inherent
> vulnerabilities (e.g. IIS crap).
I agree with this. My personal preference goes to OpenBSD because:
1. it's very easy to setup
2. secure operating system
3. coherent stuff 
4. a true workhorse even on old machines after some kernel tweaking

But I don't see any point to have snort as a HIDS. It doesn't make sense
to me. a HIDS is more on the OS/users  behavior/filesystem change than
on the what-is-that-weird-traffic-thru-the-wire. Snort "analyzes" only
the latter. Then better run snort on a dedicated box if you are
interested in watching the wire :)


> 
> -----Original Message-----
> From: Pesek Wolfgang (Mail) [mailto:WPesek at ...3042...]
> Sent: Tuesday, October 09, 2001 12:55
> To: 'Chris Kirby '; ''snort-users at lists.sourceforge.net' '
> Subject: AW: [Snort-users] Snort as a host-based IDS
> 
> 
> I run a farm of 26 Webservers and snort it with a P133/64 MB running on
> Windows 2000 Server. Sure needs some special installation of the OS to
> reduce load of the cpu (disable all unneeded services and so on..) 
> Also i log into a mysql DB and query this with ACID. Works fine on one
> mirrored port on our Cisco 2924XL.  
> So from my point of view just go ahead and use an older box to run snort ! 
> Just one little thing to say : a use a script to flush the Database when the
> alerts are growing above ca. 5000..  cause then you run into timeouts when
> querying the DB.  Not sure if this is a problem with mySQL/ACID or the
> really old hardware.
> hope i could give you some points to think about.. 
> Wolfgang 
> 
> 
> -----Originalnachricht----- 
> Von: Chris Kirby 
> An: 'snort-users at lists.sourceforge.net' 
> Gesendet: 09.10.01 20:55 
> Betreff: [Snort-users] Snort as a host-based IDS 
> We have a a server farm of about ten Windows NT4 webservers that I would 
> like to install Snort on. Can snort be installed on win32 machines as a 
> host-based IDS or can it only function as a network-based IDS on this 
> particular platform? Since we do not have a lot of bandwidth pushing 
> through 
> (under 2mb/s), would it be better to dedicate a box as a network based 
> IDS? 
> Also, can snort as a host-based IDS detect filesystem changes or would I 
> just install tripwire along with snort to get best of both worlds? 
> One issue however is that our webservers are sitting behind F5 Load 
> balancers and are in a switched environment. I am not sure if our 
> switches 
> (Cisco 2924XL) will support spanning ports or not, does anyone know? I 
> may 
> have to stick with host based IDS no matter what if it does not. 
> Since our bandwidth is not high, could we get away with one Intel 
> Pentium 
> 3-750mhz box running Snort to monitor both the segment in front of 
> firewall 
> as well as the DMZ? Is there any security risk in installing a network 
> based 
> IDS that can bypass the firewall or does the "read-only" ethernet cable 
> splice ensure one-way traffic only? 
> Any comments are welcome. :) Thanks in advance! 
> Chris. 
> 
> 
> 
> _______________________________________________ 
> Snort-users mailing list 
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
-- 
/saad
[put your signature here]
self-customize-sig(tm). another dumb patent...
nodisclaimer





More information about the Snort-users mailing list